Last.fm security breach actually happened three months ago

Last week it was reported that Last.fm had been targeted in a string of security breaches that may have been linked to attacks on eHarmony and LinkedIn. New information has since surfaced that reveals the 1.5 million or so compromised passwords were taken at least three month ago.

Last.fm product chief Matthew Hawn published an update over the weekend regarding the matter. In it, he notes that his company was tipped off about a text file posted in a forum that contained cryptographic strings for passwords that might be linked to Last.fm. The company’s password database was checked against the file and there was enough evidence to move forward. It was at this time that they addressed customers about the breach, suggesting they update their passwords, etc.

Last month, several users reported receiving spam messages at email accounts that were only used to register Last.fm accounts. Matt Knapman, a customer support manager, said his company was investigating the matter and looking for any evidence of a security breach.

GigaOm conducted further research and believes the attack happened in February or March and somehow managed to go undetected by Last.fm officials. But as they note, the problem is much deeper as the security flaw responsible for the breach was written in 2003 and remained when developer Russ Garrett left the company three years ago.

This explains how those responsible were able to crack the passwords but it’s still unclear how the hackers got into the website to begin with.